When an application or service provider provides a service to a client or its user, it is often necessary to authenticate the client and/or user. Authentication involves proving to the satisfaction of the relying party (the application or service provider) that the requester is who the requester purports to be.
Some authentication is direct authentication in which the requester interfaces directly with the relying party in order to prove the requester's identity. For instance, the requester might provide a user name and password, that is known to the requester and relying party, but which would be difficult for a third party to guess.
Some authentication is federated authentication in which the relying party directs the requester to a third party identity provider that the relying party trusts. The requester negotiates with the identity provider until the requester is authenticated to the identity provider. The identity provider then provides tamper-resistant credentials to the requester claiming proper authentication. The requester provides these credentials to the relying party, which interprets them as stating that the identity provider has authenticated the requester. Given the trust that exists between the relying party and the identity provider, the relying party may likewise consider the requester as authenticated.